How pro bono services from cybersecurity students are helping secure community organizations

Fifth-year cybersecurity student Mitchell Windahl is on the lookout for sensitive data, and he’s doing it to help a local organization strengthen its digital defenses.

Through the Cybersecurity Clinic at RIT’s ESL Global Cybersecurity Institute, teams of students provide free cyber assessment services and resources to community groups, including nonprofits, small businesses, municipal organizations, and school districts. It is modeled after free clinics at medical schools and law schools.

The aim of the Cybersecurity Clinic is for students to gain valuable hands-on experience while helping real-world clients with limited resources. The projects also serve as an option for students completing their capstone requirements in the cybersecurity degree programs.

Since launching in 2023, 189 students have assisted 47 organizations with cybersecurity assessments, penetration testing, and enhancing security postures. This semester, the clinic is helping Geva Theatre, Refugees Helping Refugees, and the Genesee-Orleans Regional Arts Council, among other organizations who applied to take part in the program.

Windahl and his team chose to work with Geva Theatre, a nonprofit regional performing arts and education organization. He picked the project, in part, because his sister was a musical theater major.

“The biggest difference between class and the clinic environment is that client relationship,” said Windahl, who is from Olmsted Falls, Ohio and completing a Combined Accelerated BS/MS in cybersecurity. “We had to not only plan which cybersecurity concerns to address but also explain it to our client and have them approve it, which is extremely valuable.”

The student team did three groups of assessments with the theater. With an external assessment, the team looked at the public facing website and performed social engineering tests. During internal tests, the team went onsite to look at the wireless security and tested the access and security controls in place. In a final report, the team identified key risks and strengths and included a more in-depth technical discussion about their findings and action items for the organization.

James Haskins, executive director of Geva Theatre, noted that the theater places a high priority on assuring the security and privacy of information about patrons, donors, and employees. When learning about RIT’s Cybersecurity Clinic program, he welcomed the opportunity to have a student team review and test the organization’s security.

“Working with the RIT team has been excellent,” said Haskins. “Their approach is very professional—carefully planned, rigorously executed, and well documented, with full consideration of our schedules so as not to impact performances and other theater activities. They communicated clearly throughout the project, including using our input.”

The services provided by RIT cybersecurity students help give a better understanding of what’s going on in the organization’s cyberspace, so it can learn where it might be vulnerable. The students can also provide resources to institute better cybersecurity policies, procedures, and training.

On campus, the clinic teams work out of the Security Assessment and Forensic Examination (SAFE) Lab, which also does commercial testing for clients.

‌

The team of students that provided free cybersecurity services for Refugees Helping Refugees met at the client’s office every week as part of the clinic project. The students included Aarthi Kosaraju, right; Cambria Kinkelaar, second from right; and Jaden Moore, fifth from right.

Cambria Kinkelaar, Jaden Moore, and Aarthi Kosaraju chose to work with the local nonprofit outreach center Refugees Helping Refugees as their capstone clinic project. Kinkelaar noted that, according to a 2021 Microsoft Digital Defense report, nonprofit organizations were the second most targeted sector by cybercriminals.

“Nonprofits are frequently targeted because they don’t always have dedicated infrastructure, dedicated IT staff, yet they are still in charge of securing important data,” said Kinkelaar, who is a fifth-year cybersecurity and public policy double major from Bergen, N.Y. “Oftentimes, nonprofits don’t really know what they need to know or when something is a problem.”

Kinkelaar’s team decided to focus on building a cybersecurity foundation for their client. The students went to the organization’s office every Thursday to take inventory of devices and upgrade the Microsoft environment to employ more cybersecurity measures and centralized management. The students are also pushing out security policies and meeting with employees to provide basic cybersecurity training.

“This clinic project has opened my eyes to how little nonprofits have for cybersecurity and what help they need,” said Kinkelaar. “I feel like we’re making a difference in the organization. It’s been great to actually work with a nonprofit and understand the environment, solidifying that this might be something I want to do after school.”

RIT has been a founding member of the Consortium of Cybersecurity Clinics since its establishment 2021, and was one of the first universities to establish a cybersecurity clinic. In 2023, RIT received support from the Google Cybersecurity Clinics Fund to publicly launch its clinic and expand its pro bono services to a broad set of under-resourced entities.